MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c622986242d31d7da7e08acc5ff69b78a4a57b8ed6614211d27a4db18efc3839. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Quakbot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c622986242d31d7da7e08acc5ff69b78a4a57b8ed6614211d27a4db18efc3839
SHA3-384 hash: 7829df5398b0cb3f55d75bd32e6069f7bc36f079d4ab1b543c66260279f331046198ff64a28723797c95012b32910969
SHA1 hash: f1cf03f3f1303ed71a1190888eea49ccee75e3eb
MD5 hash: 83df5ed47701303dd7154906c2690344
humanhash: violet-football-bacon-coffee
File name:3275690.dat
Download: download sample
Signature Quakbot
Create hunting rule
File size:458'752 bytes
First seen:2021-05-26 19:35:53 UTC
Last seen:2021-05-26 20:37:40 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 21924cab50e090dd6b6bd1e7f96292cb (1 x Quakbot)
ssdeep 6144:mRu0+NCirQ6TBByIeJzt93S0EE8cuFA6Epnznitg8055EX+dridv:muVONPfzit1055EX+dW5
Threatray 1'469 similar samples on MalwareBazaar
TLSH 40A4BF699A63C526E2162FF4A2C36F5809539CF23220654F45B17F293EAD3D47C3AF48
Reporter James_inthe_box
Tags:dat Quakbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Detection:
QakBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/162577/
Detection(s):
SecuriteInfo.com.Mal.EncPk-APW.31267.12024.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Modifying an executable file
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Qbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/792881
Signature
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Qbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 425279 Sample: 3275690.dat Startdate: 26/05/2021 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 3 other signatures 2->61 8 loaddll32.exe 1 2->8         started        11 regsvr32.exe 2->11         started        process3 signatures4 63 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->63 65 Injects code into the Windows Explorer (explorer.exe) 8->65 67 Maps a DLL or memory area into another process 8->67 13 regsvr32.exe 8->13         started        16 cmd.exe 1 8->16         started        18 rundll32.exe 8->18         started        22 4 other processes 8->22 20 regsvr32.exe 11->20         started        process5 file6 81 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->81 83 Injects code into the Windows Explorer (explorer.exe) 13->83 85 Writes to foreign memory regions 13->85 25 explorer.exe 13->25         started        28 rundll32.exe 16->28         started        87 Allocates memory in foreign processes 18->87 89 Maps a DLL or memory area into another process 18->89 30 explorer.exe 18->30         started        32 WerFault.exe 20->32         started        47 C:\Users\user\Desktop\3275690.dll, PE32 22->47 dropped 34 iexplore.exe 150 22->34         started        37 schtasks.exe 22->37         started        39 explorer.exe 22->39         started        41 explorer.exe 22->41         started        signatures7 process8 dnsIp9 69 Contain functionality to detect virtual machines 25->69 71 Uses schtasks.exe or at.exe to add and modify task schedules 25->71 73 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->73 75 Injects code into the Windows Explorer (explorer.exe) 28->75 77 Writes to foreign memory regions 28->77 79 2 other signatures 28->79 43 explorer.exe 28->43         started        49 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49725, 49726 YAHOO-DEBDE United Kingdom 34->49 51 geolocation.onetrust.com 104.20.185.68, 443, 49713, 49714 CLOUDFLARENETUS United States 34->51 53 8 other IPs or domains 34->53 45 conhost.exe 37->45         started        signatures10 process11
Detection:
qbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c622986242d31d7da7e08acc5ff69b78a4a57b8ed6614211d27a4db18efc3839/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-05-26 19:35:45 UTC
File Type:
PE (Dll)
Extracted files:
2
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
qakbot
Create hunting rule
Similar samples:
22cf76937043b616cb4c67bec58e329fecc91015329799f7b85abda1b2f6fde2
Quakbot
37811565805d0410d1f88f67d722b4d51f3279421566878cf9382f57ab4b81b0
Quakbot
40d87a4a8587ce2fd9c5b01cb951a21b5d6e09d4e97cef8bf2846b69b6f416a8
Quakbot
6ebaef2ff645ee94e360faee2321418a228c16371009452625d500001c02cdea
Quakbot
8f475f3699ee5798f0364a39da6cb668aa89dd20879e41d4a394e1b66ed9f09a
Quakbot
915e6b821a4d174598c27f8d6ffea83e9abaf880870380aba652eba0804682e3
Quakbot
9c0d63c8ba5b8144833ff9dfc05ed0d2b71eeefc311a3231299fdfb01d75d098
Quakbot
b0f5dacf46c29672878becdd25fb6bf0f2e1d34aa48ff14c2326ec122b4710c7
Quakbot
e0d3caab5d2ea5a694f8f89ae12f5d1fd67c2750dd389a6885ff5e9644c5b2f9
Quakbot
fc6a5e4a42b776a468374979e10406af518fe88fb462a2a3a3e4e4dd4a921293
Quakbot
+ 1'459 additional samples on MalwareBazaar
Result
Malware family:
qakbot
Create hunting rule
Score:
  10/10
Tags:
family:qakbot botnet:biden50 campaign:1622023364 banker stealer trojan
Link:
https://tria.ge/reports/210526-2h7hjsrx9a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Qakbot/Qbot
Malware Config
C2 Extraction:
197.45.110.165:995
24.122.166.173:443
47.22.148.6:443
45.63.107.192:995
149.28.99.97:995
71.187.170.235:443
100.2.123.234:443
96.61.23.88:995
75.67.192.125:443
122.58.117.81:995
136.232.34.70:443
140.82.49.12:443
86.220.62.251:2222
68.186.192.69:443
92.59.35.196:2222
207.246.116.237:8443
207.246.77.75:995
144.202.38.185:995
207.246.77.75:443
207.246.77.75:2222
45.77.117.108:995
45.77.115.208:8443
45.77.117.108:443
149.28.101.90:2222
207.246.77.75:8443
144.202.38.185:443
207.246.116.237:443
207.246.116.237:995
149.28.101.90:443
149.28.101.90:8443
149.28.98.196:995
45.77.115.208:995
45.77.117.108:2222
45.77.117.108:8443
45.32.211.207:443
149.28.98.196:443
45.77.115.208:2222
144.202.38.185:2222
207.246.116.237:2222
45.32.211.207:995
45.32.211.207:2222
45.32.211.207:8443
149.28.98.196:2222
45.77.115.208:443
149.28.101.90:995
216.201.162.158:443
144.139.47.206:443
71.41.184.10:3389
98.192.185.86:443
83.110.109.252:2222
24.179.77.148:443
184.185.103.157:443
95.77.223.148:443
105.198.236.99:443
105.198.236.101:443
50.244.112.106:443
172.78.43.46:443
45.63.107.192:443
27.223.92.142:995
68.204.7.158:443
173.21.10.71:2222
81.97.154.100:443
76.25.142.196:443
75.118.1.141:443
67.165.206.193:993
73.151.236.31:443
98.252.118.134:443
97.69.160.4:2222
189.210.115.207:443
151.205.102.42:443
72.252.201.69:443
75.137.47.174:443
50.29.166.232:995
24.55.112.61:443
72.240.200.181:2222
109.12.111.14:443
71.74.12.34:443
188.26.91.212:443
115.133.243.6:443
190.85.91.154:443
73.25.124.140:2222
81.214.126.173:2222
92.96.3.180:2078
71.163.224.97:443
24.139.72.117:443
86.173.143.211:443
47.196.213.73:443
86.248.16.253:2222
45.63.107.192:2222
149.28.99.97:2222
149.28.99.97:443
96.37.113.36:993
24.229.150.54:995
45.46.53.140:2222
24.152.219.253:995
186.154.175.13:443
70.163.161.79:443
24.95.61.62:443
78.63.226.32:443
83.196.56.65:2222
195.6.1.154:2222
76.168.147.166:993
64.121.114.87:443
77.27.207.217:995
31.4.242.233:995
125.62.192.220:443
195.12.154.8:443
71.117.132.169:443
96.21.251.127:2222
71.199.192.62:443
70.168.130.172:995
82.12.157.95:995
209.210.187.52:995
209.210.187.52:443
67.6.12.4:443
189.222.59.177:443
174.104.22.30:443
142.117.191.18:2222
189.146.183.105:443
213.60.147.140:443
196.221.207.137:995
108.46.145.30:443
187.250.238.164:995
2.7.116.188:2222
195.43.173.70:443
106.250.150.98:443
45.67.231.247:443
83.110.103.152:443
83.110.9.71:2222
78.97.207.104:443
59.90.246.200:443
80.227.5.69:443
125.63.101.62:443
86.236.77.68:2222
109.106.69.138:2222
84.72.35.226:443
217.133.54.140:32100
197.161.154.132:443
89.137.211.239:995
74.222.204.82:995
122.148.156.131:995
156.223.110.23:443
144.139.166.18:443
202.185.166.181:443
76.94.200.148:995
71.63.120.101:443
196.151.252.84:443
202.188.138.162:443
74.68.144.202:443
69.58.147.82:2078
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c622986242d31d7da7e08acc5ff69b78a4a57b8ed6614211d27a4db18efc3839

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/162577/
  
URLhaus
https://urlhaus.abuse.ch/url/1288171/
  
URLhaus
https://urlhaus.abuse.ch/url/1288172/
  
URLhaus
https://urlhaus.abuse.ch/url/1288170/
  
URLhaus
https://urlhaus.abuse.ch/url/1288173/
  
URLhaus
https://urlhaus.abuse.ch/url/1288175/
  
URLhaus
https://urlhaus.abuse.ch/url/1288177/
  
URLhaus
https://urlhaus.abuse.ch/url/1289960/
  
URLhaus
https://urlhaus.abuse.ch/url/1289959/
  
URLhaus
https://urlhaus.abuse.ch/url/1289961/

Comments